Matterport Information Security Overview & Frequently Asked Questions

Matterport is committed to keeping our customers' data secure, and ensuring private data is protected. The purpose of this document is to provide a high-level overview of Matterport’s security controls, in a document that does not require a non-disclosure agreement (NDA) be in place between respective organizations. The information in this document is therefore not classified as confidential. Additionally, more detailed information and documentation is available under NDA and can be accessed via an online portal. Please contact Matterport Customer Success to gain access.

Overview of Matterport Information Security and Privacy Programs

Matterport has a formal information security and privacy program in place. The highlights are as follows:

Compliance self-assessments and evidence documentation available under NDA

3rd-party vulnerability and pen tests conducted annually - reports are available under NDA

GDPR compliance

EU-US and Swiss-US Privacy Shield self-certification

Personnel

All Matterport employees and contractors are subject to background checks upon employment, or at the start of a contractor engagement.

Employees are required to acknowledge they have read the employee handbook.

Access to Matterport facilities is controlled via keycards and monitored by video surveillance. Additional controls are in place for restricted areas. Note that data center access is managed by Amazon Web Services

Upon termination, a formal offboarding process is followed under the supervision of the IT and HR teams

The following summarizes the key elements of Matterport’s infrastructure:

Applications are hosted in the AWS us-east-1 region in Virginia, USA

Access to production systems is managed by AWS IAM using MFA and Okta

All data at rest is encrypted using AES-256 using AWS KMS for key management

All data in motion on the internet is encrypted using HTTPS/TLS 1.2

Matterport staff members are granted access to production systems only when necessary to carry out their job function, and only after access is approved by senior management

All AWS API calls, and all AWS console/CLI activity is logged using AWS Cloud Trail

AWS infrastructure is monitored using AWS Guard Duty and Cloud Health for vulnerabilities and suspicious activity

Databases are backed up daily using AWS RDS built-in snapshot functionality, and stored in Amazon S3. All backups are encrypted

Data in AWS S3 is distributed in a redundant architecture and has 11 nines of durability

Infrastructure performance and uptime is monitoring using Datadog (internal to environment), and Site24x7 (external to environment)

AWS has comprehensive security controls and has multiple compliance certifications in place. AWS security and compliance can be reviewed here: https://aws.amazon.com/security/

Matterport Cloud Security

Matterport Cloud (https://my.matterport.com) provides user access control by means of username and passwords. MFA and SSO are not currently supported, but are being considered for future enhancements.

Matterport users typically have either an admin or (regular, or ‘Collaborator’) user role. User role functionality, however, is beyond the scope of this document, and is described in Matterport’s online user documentation :

Control 3D spaces, and associated assets created on the Matterport platform, have a simple public/private access control model as follows:

All assets belonging to a space are private by default, and can only be accessed within Matterport Cloud by authorized users.

If a space is not set to public, it is only accessible to 1) Collaborators that have been given Editor or Viewer access to the model, or 2) Account admins in your account, 3) Matterport staff, when necessary.

If a space is set to public, users who have a URL link to it can access it.

Access to a space is logged and tagged with at least the source IP address and timestamp, however, these logs are typically only available to Matterport staff

Matterport Security FAQs

In addition to the information contained in the previous sections, the following table contains answers to frequently asked questions about Matterport’s information security and privacy posture.

Where is the infrastructure located?

Amazon Web Services us-east-1 region in Virginia, USA.

Can a customer’s data be located in another country or AWS region?

No.

Does Matterport use a CDN?

Yes, Fastly.

Are both public and private spaces cached in the Fastly CDN?

Yes.

Can customers control which countries their spaces are cached in?

No, however, the CDN is not pre-loaded, so model data is only cached at the closest geographical Fastly POP.

Are there any scalability upper limits for space (3D model) distribution?

No, there are no practical upper limits.

Does each customer have a dedicated environment?

No, the Matterport Cloud is a shared, multi-tenant environment which is logically segregated.

Who can access Matterport infrastructure?

Only Matterport staff with elevated privileges, approved by management, can access the environment.

Is Matterport ISO-27001 certified?

No, formal audits have not taken place, however, Matterport follows many of the ISO 27001 guidelines.

Does Matterport have an Information Security Policy?

Yes, available under NDA.

Is encryption used?

Yes, data at rest is encrypted using AES-256 with AWS KMS for key management. All data in motion on the internet use HTTPS with TLS 1.2.

Does the Javascript for 3D Showcase have access to the host web page?

No, 3D Showcase is contained in an iframe and has a separate domain from the host web page.